Preparing for the CCPA

When the European Union’s General Data Privacy Regulation (GDPR) was written, it gave businesses some two years to adjust their systems so that they could be in compliance with the GDPR’s complex rules. But when state legislators approved the California Consumer Privacy Act (CCPA), companies were given just under a year to comply.

Understandably, this is causing considerable teeth gnashing on the part of many executives in the U.S. whose operations do not have a European facility or any customers on the Continent so they never gave much thought to GDPR. Some clients are concerned that vagueness in the law makes it difficult to clearly understand what they need to do, how they will be affected, and what will happen if their business runs afoul of any of its provisions.

As we wrote recently, while the two sets of regulations are similar in some respects, there are notable differences. One of the biggest is in how companies can be sanctioned and fined and the amount of the fines that can be levied.

Sanction VariationsUnder GDPR, privacy commissioners may impose a fine if a company is in non-compliance or if there is a data breach – or both. The law provides for fines up to 4-percent of a company’s worldwide revenue up to €20-million, about US$22.6-million at today’s exchange rate, whichever is greater.

The California law does not provide penalties for non-compliance but it calculates fines on a per violation basis of up to $7,500 for each incident whether a breach affects an individual or a household. There is no maximum or cap that can be levied against a company so if, say, 10,000 individuals have had their identifiable information breached the total fine can add up quickly.

Another key difference is that the CCPA also allows people to file a lawsuit against a company that has suffered a data breach.

Be PreparedThere is a lot of confusion about CCPA. For instance, it says the law applies to companies based in California with annual sales of more than $25-million or where the main business activity is selling data – the so-called Facebook provision. But it is still unclear just what this means. Because the state is so large – by many estimates, it has the world’s fifth or sixth biggest economy – does “based” mean it has a facility or employees there? Will a business located elsewhere but with customers in California be subject to the law and its penalties if their data is breached?

Until the state Attorney General issues the regulations governing CCPA, which are not expected for several more months, our advice to clients is to be proactive and consult with experienced counsel.

For starters, we generally advise clients to be sure that personally identifiable data is encrypted. As is the case with the GDPR, under the CCPA encryption is not only offers some protection against a hack, but can reduce liability.

The California law takes effect January 1, 2020. Businesses had two years to prepare for GDPR yet many were scrambling at the last minute to be ready. For companies wondering about what impact CCPA will have on them, the best advice is to follow the Boy Scouts motto: Be prepared.

Marcus has one of the country’s leading practices devoted to drafting and negotiating Enterprise Software related license, implementation and SaaS agreements, as well as litigating failed software implementations in courts and before arbitration panels across the country.

Related Posts

About this Blog

Attorneys in Taft’s Technology group represent businesses on a broad range of issues relating to the ever-changing world of technology. Our multidisciplinary team combines extensive knowledge of the law with practical experience in the regulatory environment and the business concerns and risks that technology companies face on a daily basis. Learn more here.

About our Technology Group

Attorneys in Taft’s Technology group represent businesses on a broad range of issues relating to the ever-changing world of technology. Our multidisciplinary team combines extensive knowledge of the law with practical experience in the regulatory environment and the business concerns and risks that technology companies face on a daily basis.